[Date Prev][Date Next] [Chronological] [Thread] [Top]

Comments on Access Control Model draft - DNS wildcards

To: ietf-ldapext@netscape.com
Subject: Comments on Access Control Model draft - DNS wildcards
From: rvh@qsun.mt.att.com (Richard V Huber)
Date: Thu, 22 Mar 2001 10:05:36 -0500

In the BNF in section 4.1.1, the definition of ipAddress allows a
"printableString" with the note that it allows a wildcard domain name
"such as *.airius.com".  I think we need a better definition of how
wildcards may be used.

For example, could I use "*RUS.COM" to allow TOYSRUS.COM, CARSRUS.COM,
JUNKBONDSRUS.COM, etc?  Or could I use "att.*" to allow att.com,
att.net, att.org, etc?  And does "*.*" match all domain names, or only
second level domain names?  I suspect the intention is to allow
wildcards only as the leftmmost part of the specification, that the
wildcard MUST have a "." immediately to its right, and that a wildcard
can match any number of domain components.  But we need to clarify
this.

Also, a related comment on domain names.  In section 4.2.3 the list of
defined subjects includes "ipAddress, in IPv6 text format".  Given the
BNF, shouldn't this say "ipAddress in IPv6 text format or a wildcarded
domain name"?  Incidently, since the DNS name can be wildcarded, is
ipAddress really the proper name for this category?

Rick Huber

Follow-Ups:
- Re: Comments on Access Control Model draft - DNS wildcards
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Re: Java LDAP API: Unsolicited notifications
Next by Date: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
Index(es):
- Chronological
- Thread